The Support Forums will be in read-only mode for a scheduled maintenance window on 01 September 2016 14:00 UTC - 20:00 UTC. More information.

Hacked website possibly through Contact Form 7 & Really Simple CAPTCHA plugins!! (9 posts)

  1. B_Dark
    Posted 4 years ago #

    in 3 Dec 2011 11:17:56 PM on websitedefender.com it give me these 2 messages:

    1."File structure change: 1 new file found

    One or more new files were created on the web server. You can find the list of newly created files below:

    List of new files
    Filename Creation time
    /home/cat/public_html/mysite.com/wp-content/uploads/wpcf7_captcha/1377993414.php 3 Dec 2011 11:17:56 PM"

    2."An executable PHP file /mysite.com/wp-content/uploads/wpcf7_captcha/1377993414.php was found the the WordPress uploads directory. By default WordPress doesn't allow uploading of PHP files in the uploads directory. Usually hackers are uploading malicious executable files in this directory because in a secure installation it's the only directory that has write permissions. The presence of this file in the uploads directory may indicate that your system was compromised.

    Analyze the contents of this file. If the file is malicious, delete it immediately from your system!"

    In 2 hours it moved all the pages in trash bin, it erased and changed many menus, it had erased more then 600 "featured images" and "external media" videos.
    I tried to delete the "wp-content/uploads/wpcf7_captcha/1377993414.php" but I didn't anything in it. I deleted the file "wpcf7_captcha". I want you to tell how did this happened

    I use WP 3.2.1,
    Better WP Security 2.10,
    Wordpress Firewall 2 1.3,
    Contact Form 7 3.0.1,
    Really Simple CAPTCHA 1.2
    in this site single wp .

    And i have in my one multisite wp in main root of my host the WebsiteDefender WordPress 2.0.6 to scan all my host

    1. How did this thing happened?

    2.I have backup of 2 dec. and I have the corrupted base and at 3 dec. I have 3 new posts and I don't want to lose them. Which sql queries I call and in which tables, in order to add in the base of tables of 2 dec. the 2 new posts from 3 dec. ?!?!?

    Please help me!!!

  2. Takayuki Miyoshi
    Posted 4 years ago #

    It is websitedefender.com's false-positive. No problem.


    These files are temporary files created by Really Simple CAPTCHA. Not malicious.


  3. B_Dark
    Posted 4 years ago #

    ok my bad maybe but i lost a lot o things of my wp site the same time with this information from websitedefender.com

    Please, somebody help me with this one.
    I have backup of 2 dec. and I have the corrupted base and at 3 dec. I have 3 new posts and I don't want to lose them. Which sql queries I call and in which tables, in order to add in the base of tables of 2 dec. the 2 new posts from 3 dec. ?!?!?

  4. westerdaled
    Posted 4 years ago #


    I am in the exact position and I nearly nuked my blog site bacuse of it. I think routinely ignoring security scans doesn't sound like a good idea. Do I take it we need to change the temp dir to a user defined location as outlined in
    http://contactform7.com/blog/2009/11/25/captcha/ .

  5. westerdaled
    Posted 4 years ago #


    I have now changed the defualt wp_content/uploads/wpcf7_captcha
    with an entry in config.php

    /** here we stop C form 7 writing to the wp_content/upload dir by using our our own dir*/

    define( 'WPCF7_CAPTCHA_TMP_DIR', 'WHEREEVER/' );

    This now works but was more fiddly than than it looks

    1) check the the contact form 7 settings page as this reports whether your chosen directory is writable or not after your ftp accross your amended config.php.
    2) using the new sytax for the the contact form short code
    3) backup you config.php! I managed to corrupt mine but recovered from backup.

  6. emilysparkle
    Posted 4 years ago #

    thanks for this thread, i'm a new website defender user and am terrified every time i see a 'red alert'! so, can i just clarify that you're saying the files that appear in /uploads/wpcf7_captcha/ are not malicious, but it's better to move their landing place to somewhere else?

    and sorry to be thick, but what variable is 'WHEREVER'? my url? and wehre is new syntax? do i need to rebuild my forms?


  7. westerdaled
    Posted 4 years ago #


    Yes, it appears to be a false alarm. Just keep WebSite Defender happy I moved the location where these .php and images are stored. THis you can do through
    this change in your config.php

    define( 'WPCF7_CAPTCHA_TMP_DIR', 'WHEREEVER/' );

    the 'WHATEVER/' is any directory name you chose to create so '/mycaptcha' anything your want. You will need to use an ftp client such as FileZila. It will also set the file mask (chmod) of the directory to 0777 to keep Contact Form 7 happy.

    No need to rebuild your forms - I simply changed the syntax of the short code to keep it up to date.

    One final thing... I suggest your google "hardening your WordPress site "as web site defender is simply one component of your anti hacking armour..

    Good luck


  8. gnosis_wp
    Posted 3 years ago #

    Why would I need to make an entry in wp-config.php:

    define( 'WPCF7_CAPTCHA_TMP_DIR', 'WHEREEVER/' );

  9. westerdaled
    Posted 3 years ago #


    I am no expert but I understand, WordPress needs this content/uploads/wpcf7_captcha directory to have restricted permissions. you have to specify your own directory if you want the generated files not be flagged as an issue. I got inconsistent results to be honest.

    Good luck

Topic Closed

This topic has been closed to new replies.

About this Topic